OpenSSL-3.+ how to configure [random]?
Blumenthal, Uri - 0553 - MITLL
uri at ll.mit.edu
Wed Nov 10 22:37:26 UTC 2021
On 11/10/21, 15:20, "openssl-users on behalf of Dr Paul Dale" <openssl-users-bounces at openssl.org on behalf of pauli at openssl.org> wrote:
> I'm pretty sure the underlying problem is that there is a call to
> RAND_set_rand_method() or RAND_set_rand_engine() occurring (likely the
> These completely replace the built in RNG infrastructure with the
> RAND_METHOD/engine. If the engine then fails to produce output for any
> reason, the observed results will present.
And randomness retrieval in PKCS#11 engine is broken, because otherwise it would've gotten some randomness form the hardware token, right?
> Adding the RDRAND engine again replaces the RAND_METHOD and things begin
> I've no idea why the PKCS#11 engine has stopped working with 3.0. It
> wasn't meant to.
This made me questioning what's going on. It's been quite some time since I updated 'pkcs11' engine for OSSL-1.1.1.
And I observe that the current version of the PKCS#11 engine does not work correctly, i.e., does not serve randomness, on OpenSSL-1.1.1 *and* 3.x.
$ OPENSSL_CONF="" openssl version
OpenSSL 3.0.0 7 sep 2021 (Library: OpenSSL 3.0.0 7 sep 2021)
$ OPENSSL_CONF="" openssl rand -engine pkcs11 -hex 8
Engine "pkcs11" set.
$ OPENSSL_CONF="" openssl-1.1 rand -engine pkcs11 -hex 8
engine "pkcs11" set.
$ OPENSSL_CONF="" ~/openssl-3/bin/openssl version
OpenSSL 3.1.0-dev (Library: OpenSSL 3.1.0-dev )
$ OPENSSL_CONF="" ~/openssl-3/bin/openssl rand -engine pkcs11 -hex 8
Engine "pkcs11" set.
$ OPENSSL_CONF="" openssl rand -hex 8
I'll bring this up with its maintainers.
On 11/11/21 1:36 am, Blumenthal, Uri - 0553 - MITLL wrote:
> Yes, it's related to https://github.com/openssl/openssl/issues/16996, and yes - the same solution worked.
> There's something wrong with how PKCS#11 engine deals with (or presents itself as) rand provider.
> In any case, removing PKCS#11 engine from the [engines] section alleviated this problem.
> P.S. I configured rand seed sources the standard way: "--with-rand-seed=rdcpu,os", as I think everybody does.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5249 bytes
Desc: not available
More information about the openssl-users